Context Navigation

linux-pam.xml@ 10bfa7e0

Visit:

10.1 11.0 11.1 11.2 11.3 12.0 12.1 kea ken/TL2024 ken/inkscape-core-mods ken/tuningfonts lazarus lxqt plabs/newcss plabs/python-mods python3.11 qt5new rahul/power-profiles-daemon renodr/vulkan-addition trunk upgradedb xry111/intltool xry111/llvm18 xry111/soup3 xry111/test-20220226 xry111/xf86-video-removal

Last change on this file since 10bfa7e0 was 10bfa7e0, checked in by Bruce Dubbs <bdubbs@…>, 3 years ago

Update to Linux-PAM-1.5.0.

git-svn-id: svn://svn.linuxfromscratch.org/BLFS/trunk/BOOK@23888 af4574ff-66df-0310-9fd7-8a98e5e911e0

Property mode set to 100644

File size: 19.6 KB

Line
1	<?xml version="1.0" encoding="ISO-8859-1"?>
2	<!DOCTYPE sect1 PUBLIC "-//OASIS//DTD DocBook XML V4.5//EN"
3	"http://www.oasis-open.org/docbook/xml/4.5/docbookx.dtd" [
4	<!ENTITY % general-entities SYSTEM "../../general.ent">
5	%general-entities;
6
7	<!ENTITY linux-pam-download-http "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-version;.tar.xz">
8	<!ENTITY linux-pam-download-ftp " ">
9	<!ENTITY linux-pam-md5sum "51d8ef45f050418c8ac5c1636efe5731">
10	<!ENTITY linux-pam-size "952 KB">
11	<!ENTITY linux-pam-buildsize "35 MB (with tests)">
12	<!ENTITY linux-pam-time "0.4 SBU (with tests)">
13
14	<!ENTITY linux-pam-docs-download "https://github.com/linux-pam/linux-pam/releases/download/v&linux-pam-version;/Linux-PAM-&linux-pam-docs-version;-docs.tar.xz">
15	<!ENTITY linux-pam-docs-md5sum "1d05dda7dc2e275c226d9a4076dad66e">
16	<!ENTITY linux-pam-docs-size "432 KB">
17	<!--
18	<!ENTITY debian-pam-docs "http://debian.securedservers.com/kernel/pub/linux/libs/pam">
19	-->
20	]>
21
22	<sect1 id="linux-pam" xreflabel="Linux-PAM-&linux-pam-version;">
23	<?dbhtml filename="linux-pam.html"?>
24
25	<sect1info>
26	<othername>$LastChangedBy$</othername>
27	<date>$Date$</date>
28	</sect1info>
29
30	<title>Linux-PAM-&linux-pam-version;</title>
31
32	<indexterm zone="linux-pam">
33	<primary sortas="a-Linux-PAM">Linux-PAM</primary>
34	</indexterm>
35
36	<sect2 role="package">
37	<title>Introduction to Linux PAM</title>
38
39	<para>
40	The <application>Linux PAM</application> package contains
41	Pluggable Authentication Modules used to enable the local
42	system administrator to choose how applications authenticate
43	users.
44	</para>
45
46	&lfs10_checked;
47
48	<bridgehead renderas="sect3">Package Information</bridgehead>
49	<itemizedlist spacing="compact">
50	<listitem>
51	<para>
52	Download (HTTP): <ulink url="&linux-pam-download-http;"/>
53	</para>
54	</listitem>
55	<listitem>
56	<para>
57	Download (FTP): <ulink url="&linux-pam-download-ftp;"/>
58	</para>
59	</listitem>
60	<listitem>
61	<para>
62	Download MD5 sum: &linux-pam-md5sum;
63	</para>
64	</listitem>
65	<listitem>
66	<para>
67	Download size: &linux-pam-size;
68	</para>
69	</listitem>
70	<listitem>
71	<para>
72	Estimated disk space required: &linux-pam-buildsize;
73	</para>
74	</listitem>
75	<listitem>
76	<para>
77	Estimated build time: &linux-pam-time;
78	</para>
79	</listitem>
80	</itemizedlist>
81
82	<bridgehead renderas="sect3">Additional Downloads</bridgehead>
83	<itemizedlist spacing="compact">
84	<title>Optional Documentation</title>
85	<listitem>
86	<para>
87	Download (HTTP): <ulink url="&linux-pam-docs-download;"/>
88	</para>
89	</listitem>
90	<listitem>
91	<para>
92	Download MD5 sum: &linux-pam-docs-md5sum;
93	</para>
94	</listitem>
95	<listitem>
96	<para>
97	Download size &linux-pam-docs-size;
98	</para>
99	</listitem>
100	</itemizedlist>
101
102	<bridgehead renderas="sect3">Linux PAM Dependencies</bridgehead>
103
104	<bridgehead renderas="sect4">Optional</bridgehead>
105	<para role="optional">
106	<xref linkend="db"/>,
107	<xref linkend="libnsl"/>,
108	<xref linkend="libtirpc"/>,
109	<ulink url="https://github.com/linux-audit/audit-userspace">libaudit</ulink>, and
110	<ulink url="http://www.prelude-siem.org">Prelude</ulink>
111	</para>
112
113	<bridgehead renderas="sect4">Optional (To Rebuild the Documentation)</bridgehead>
114	<para role="optional">
115	<xref linkend="DocBook"/>,
116	<xref linkend="docbook-xsl"/>,
117	<xref linkend="fop"/>,
118	<xref linkend="libxslt"/> and either
119	<xref linkend="lynx"/> or
120	<ulink url="&w3m-url;">W3m</ulink>
121	</para>
122
123	<note>
124	<para role="required">
125	<xref role="runtime" linkend="shadow"/>
126	<phrase revision="systemd"> and <xref role="runtime" linkend="systemd"/>
127	need</phrase><phrase revision="sysv">needs</phrase> to be reinstalled
128	after installing and configuring <application>Linux PAM</application>.
129	</para>
130
131	<para role="recommended">
132	With Linux-PAM-1.4.0 and higher, the pam_cracklib module is not
133	installed by default. To enforce strong passwords, it is recommended
134	to use <xref role="runtime" linkend="libpwquality"/>.
135	</para>
136	</note>
137
138	<para condition="html" role="usernotes">User Notes:
139	<ulink url="&blfs-wiki;/linux-pam"/>
140	</para>
141	</sect2>
142
143	<sect2 role="installation">
144	<title>Installation of Linux PAM</title>
145
146	<para revision="sysv">
147	First prevent the installation of an unneeded systemd file:
148	</para>
149
150	<screen revision="sysv"><userinput>sed -e /service_DATA/d \
151	-i modules/pam_namespace/Makefile.am &&
152	autoreconf</userinput></screen>
153
154	<para>
155	If you downloaded the documentation, unpack the tarball by issuing
156	the following command.
157	</para>
158
159	<screen><userinput>tar -xf ../Linux-PAM-&linux-pam-docs-version;-docs.tar.xz --strip-components=1</userinput></screen>
160
161	<para>
162	If you instead want to regenerate the documentation, fix the
163	<command>configure</command> script so that it detects lynx if installed:
164	</para>
165
166	<screen><userinput>sed -e 's/dummy elinks/dummy lynx/' \
167	-e 's/-no-numbering -no-references/-force-html -nonumbers -stdin/' \
168	-i configure</userinput></screen>
169
170	<para>
171	Install <application>Linux PAM</application> by
172	running the following commands:
173	</para>
174
175	<screen><userinput>./configure --prefix=/usr \
176	--sysconfdir=/etc \
177	--libdir=/usr/lib \
178	--enable-securedir=/lib/security \
179	--docdir=/usr/share/doc/Linux-PAM-&linux-pam-version; &&
180	make</userinput></screen>
181
182	<para>
183	To test the results, a suitable <filename>/etc/pam.d/other</filename>
184	configuration file must exist.
185	</para>
186
187	<caution>
188	<title>Reinstallation or upgrade of Linux PAM</title>
189	<para>
190	If you have a system with Linux PAM installed and working, be careful
191	when modifying the files in
192	<filename class="directory">/etc/pam.d</filename>, since your system
193	may become totally unusable. If you want to run the tests, you do not
194	need to create another <filename>/etc/pam.d/other</filename> file. The
195	installed one can be used for that purpose.
196	</para>
197
198	<para>
199	You should also be aware that <command>make install</command>
200	overwrites the configuration files in
201	<filename class="directory">/etc/security</filename> as well as
202	<filename>/etc/environment</filename>. In case you
203	have modified those files, be sure to back them up.
204	</para>
205	</caution>
206
207	<para>
208	For a first installation, create the configuration file by issuing the
209	following commands as the <systemitem class="username">root</systemitem>
210	user:
211	</para>
212
213	<screen role="root"><userinput>install -v -m755 -d /etc/pam.d &&
214
215	cat > /etc/pam.d/other << "EOF"
216	<literal>auth required pam_deny.so
217	account required pam_deny.so
218	password required pam_deny.so
219	session required pam_deny.so</literal>
220	EOF</userinput></screen>
221
222	<para>
223	Now run the tests by issuing <command>make check</command>.
224	Ensure there are no errors produced by the tests before continuing the
225	installation. Note that the checks are quite long. It may be useful to
226	redirect the output to a log file in order to inspect it thoroughly.
227	</para>
228
229	<para>
230	Only in case of a first installation, remove the configuration file
231	created earlier by issuing the following command as the
232	<systemitem class="username">root</systemitem> user:
233	</para>
234
235	<screen role="root"><userinput>rm -fv /etc/pam.d/other</userinput></screen>
236
237	<para>
238	Now, as the <systemitem class="username">root</systemitem>
239	user:
240	</para>
241
242	<screen role="root"><userinput>make install &&
243	chmod -v 4755 /sbin/unix_chkpwd &&
244
245	for file in pam pam_misc pamc
246	do
247	mv -v /usr/lib/lib${file}.so.* /lib &&
248	ln -sfv ../../lib/$(readlink /usr/lib/lib${file}.so) /usr/lib/lib${file}.so
249	done</userinput></screen>
250
251	</sect2>
252
253	<sect2 role="commands">
254	<title>Command Explanations</title>
255
256	<para>
257	<parameter>--enable-securedir=/lib/security</parameter>:
258	This switch sets install location for the
259	<application>PAM</application> modules.
260	</para>
261
262	<para>
263	<option>--disable-regenerate-docu</option> : If the needed dependencies
264	(<xref linkend="DocBook"/>, <xref linkend="docbook-xsl"/>, <xref
265	linkend="libxslt"/>, and <xref linkend="lynx"/> or <ulink
266	url="&w3m-url;">W3m</ulink>) are installed, the manual pages, and the
267	html and text documentations are (re)generated and installed.
268	Furthermore, if <xref linkend="fop"/> is installed, the PDF
269	documentation is generated and installed. Use this switch if you do not
270	want to rebuild the documentation.
271	</para>
272
273	<para>
274	<command>chmod -v 4755 /sbin/unix_chkpwd</command>:
275	The <command>unix_chkpwd</command> helper program must be setuid
276	so that non-<systemitem class="username">root</systemitem>
277	processes can access the shadow file.
278	</para>
279
280	</sect2>
281
282	<sect2 role="configuration">
283	<title>Configuring Linux-PAM</title>
284
285	<sect3 id="pam-config">
286	<title>Config Files</title>
287
288	<para>
289	<filename>/etc/security/*</filename> and
290	<filename>/etc/pam.d/*</filename>
291	</para>
292
293	<indexterm zone="linux-pam pam-config">
294	<primary sortas="e-etc-security">/etc/security/*</primary>
295	</indexterm>
296
297	<indexterm zone="linux-pam pam-config">
298	<primary sortas="e-etc-pam.d">/etc/pam.d/*</primary>
299	</indexterm>
300
301	</sect3>
302
303	<sect3>
304	<title>Configuration Information</title>
305
306	<para>
307	Configuration information is placed in
308	<filename class="directory">/etc/pam.d/</filename>.
309	Below is an example file:
310	</para>
311
312	<screen><literal># Begin /etc/pam.d/other
313
314	auth required pam_unix.so nullok
315	account required pam_unix.so
316	session required pam_unix.so
317	password required pam_unix.so nullok
318
319	# End /etc/pam.d/other</literal></screen>
320
321	<para>
322	Now set up some generic files. As root:
323	</para>
324
325	<screen role="root"><userinput>install -vdm755 /etc/pam.d &&
326	cat > /etc/pam.d/system-account << "EOF" &&
327	<literal># Begin /etc/pam.d/system-account
328
329	account required pam_unix.so
330
331	# End /etc/pam.d/system-account</literal>
332	EOF
333
334	cat > /etc/pam.d/system-auth << "EOF" &&
335	<literal># Begin /etc/pam.d/system-auth
336
337	auth required pam_unix.so
338
339	# End /etc/pam.d/system-auth</literal>
340	EOF
341
342	cat > /etc/pam.d/system-session << "EOF"
343	<literal># Begin /etc/pam.d/system-session
344
345	session required pam_unix.so
346
347	# End /etc/pam.d/system-session</literal>
348	EOF
349	cat > /etc/pam.d/system-password << "EOF"
350	<literal># Begin /etc/pam.d/system-password
351
352	# use sha512 hash for encryption, use shadow, and try to use any previously
353	# defined authentication token (chosen password) set by any prior module
354	password required pam_unix.so sha512 shadow try_first_pass
355
356	# End /etc/pam.d/system-password</literal>
357	EOF
358	</userinput></screen>
359
360	<para>
361	If you wish to enable strong password support, install
362	<xref linkend="libpwquality"/>, and follow the
363	instructions in that page to configure the pam_pwquality
364	PAM module with strong password support.
365	</para>
366
367	<!-- With the removal of the pam_cracklib module, we're supposed to be using
368	libpwquality. That already includes instructions in it's configuration
369	information page, so we'll use those instead.
370
371	Linux-PAM must be installed prior to libpwquality so that PAM support
372	is built in, and the PAM module is built.
373	-->
374	<!--
375	<para>
376	The remaining generic file depends on whether <xref
377	linkend="cracklib"/> is installed. If it is installed, use:
378	</para>
379
380	<screen role="root"><userinput>cat > /etc/pam.d/system-password << "EOF"
381	<literal># Begin /etc/pam.d/system-password
382
383	# check new passwords for strength (man pam_cracklib)
384	password required pam_cracklib.so authtok_type=UNIX retry=1 difok=5 \
385	minlen=9 dcredit=1 ucredit=1 \
386	lcredit=1 ocredit=1 minclass=0 \
387	maxrepeat=0 maxsequence=0 \
388	maxclassrepeat=0 \
389	dictpath=/lib/cracklib/pw_dict
390	# use sha512 hash for encryption, use shadow, and use the
391	# authentication token (chosen password) set by pam_cracklib
392	# above (or any previous modules)
393	password required pam_unix.so sha512 shadow use_authtok
394
395	# End /etc/pam.d/system-password</literal>
396	EOF</userinput></screen>
397
398	<note>
399	<para>
400	In its default configuration, pam_cracklib will
401	allow multiple case passwords as short as 6 characters, even with
402	the <parameter>minlen</parameter> value set to 11. You should review
403	the pam_cracklib(8) man page and determine if these default values
404	are acceptable for the security of your system.
405	</para>
406	</note>
407
408	<para>
409	If <xref linkend="cracklib"/> is <emphasis>NOT</emphasis> installed,
410	use:
411	</para>
412
413	<screen role="nodump"><userinput>cat > /etc/pam.d/system-password << "EOF"
414	<literal># Begin /etc/pam.d/system-password
415
416	# use sha512 hash for encryption, use shadow, and try to use any previously
417	# defined authentication token (chosen password) set by any prior module
418	password required pam_unix.so sha512 shadow try_first_pass
419
420	# End /etc/pam.d/system-password</literal>
421	EOF</userinput></screen>
422	-->
423	<para>
424	Now add a restrictive <filename>/etc/pam.d/other</filename>
425	configuration file. With this file, programs that are PAM aware will
426	not run unless a configuration file specifically for that application
427	is created.
428	</para>
429
430	<screen role="root"><userinput>cat > /etc/pam.d/other << "EOF"
431	<literal># Begin /etc/pam.d/other
432
433	auth required pam_warn.so
434	auth required pam_deny.so
435	account required pam_warn.so
436	account required pam_deny.so
437	password required pam_warn.so
438	password required pam_deny.so
439	session required pam_warn.so
440	session required pam_deny.so
441
442	# End /etc/pam.d/other</literal>
443	EOF</userinput></screen>
444
445	<para>
446	The <application>PAM</application> man page (<command>man
447	pam</command>) provides a good starting point for descriptions
448	of fields and allowable entries. The
449	<ulink url="http://www.linux-pam.org/Linux-PAM-html/Linux-PAM_SAG.html">
450	Linux-PAM System Administrators' Guide
451	</ulink> is recommended for additional information.
452	</para>
453
454	<important>
455	<para>
456	You should now reinstall the <xref linkend="shadow"/>
457	<phrase revision="sysv">package.</phrase>
458	<phrase revision="systemd"> and <xref linkend="systemd"/>
459	packages.</phrase>
460	</para>
461	</important>
462
463	</sect3>
464
465	</sect2>
466
467	<sect2 role="content">
468	<title>Contents</title>
469
470	<segmentedlist>
471	<segtitle>Installed Program</segtitle>
472	<segtitle>Installed Libraries</segtitle>
473	<segtitle>Installed Directories</segtitle>
474
475	<seglistitem>
476	<seg>
477	faillock, mkhomedir_helper,
478	pam_timestamp_check, unix_chkpwd and
479	unix_update
480	</seg>
481	<seg>
482	libpam.so, libpamc.so and libpam_misc.so
483	</seg>
484	<seg>
485	/etc/security,
486	/lib/security,
487	/usr/include/security and
488	/usr/share/doc/Linux-PAM-&linux-pam-version;
489	</seg>
490	</seglistitem>
491	</segmentedlist>
492
493	<variablelist>
494	<bridgehead renderas="sect3">Short Descriptions</bridgehead>
495	<?dbfo list-presentation="list"?>
496	<?dbhtml list-presentation="table"?>
497
498	<varlistentry id="faillock">
499	<term><command>faillock</command></term>
500	<listitem>
501	<para>
502	displays and modifies the authentication failure record files.
503	</para>
504	<indexterm zone="linux-pam faillock">
505	<primary sortas="b-faillock">faillock</primary>
506	</indexterm>
507	</listitem>
508	</varlistentry>
509
510	<varlistentry id="mkhomedir_helper">
511	<term><command>mkhomedir_helper</command></term>
512	<listitem>
513	<para>
514	is a helper binary that creates home directories.
515	</para>
516	<indexterm zone="linux-pam mkhomedir_helper">
517	<primary sortas="b-mkhomedir_helper">mkhomedir_helper</primary>
518	</indexterm>
519	</listitem>
520	</varlistentry>
521
522	<!-- Removed with the removal of the pam_tally{,2} module
523	<varlistentry id="pam_tally">
524	<term><command>pam_tally</command></term>
525	<listitem>
526	<para>
527	is used to interrogate and manipulate the login counter file.
528	</para>
529	<indexterm zone="linux-pam pam_tally">
530	<primary sortas="b-pam_tally">pam_tally</primary>
531	</indexterm>
532	</listitem>
533	</varlistentry>
534
535	<varlistentry id="pam_tally2">
536	<term><command>pam_tally2</command></term>
537	<listitem>
538	<para>
539	is used to interrogate and manipulate the login counter file, but
540	does not have some limitations that <command>pam_tally</command>
541	does.
542	</para>
543	<indexterm zone="linux-pam pam_tally2">
544	<primary sortas="b-pam_tally2">pam_tally2</primary>
545	</indexterm>
546	</listitem>
547	</varlistentry>
548	-->
549
550	<varlistentry id="pam_timestamp_check">
551	<term><command>pam_timestamp_check</command></term>
552	<listitem>
553	<para>
554	is used to check if the default timestamp is valid
555	</para>
556	<indexterm zone="linux-pam pam_timestamp_check">
557	<primary sortas="b-pam_timestamp_check">pam_timestamp_check</primary>
558	</indexterm>
559	</listitem>
560	</varlistentry>
561
562	<varlistentry id="unix_chkpwd">
563	<term><command>unix_chkpwd</command></term>
564	<listitem>
565	<para>
566	is a helper binary that verifies the password of the current user.
567	</para>
568	<indexterm zone="linux-pam unix_chkpwd">
569	<primary sortas="b-unix_chkpwd">unix_chkpwd</primary>
570	</indexterm>
571	</listitem>
572	</varlistentry>
573
574	<varlistentry id="unix_update">
575	<term><command>unix_update</command></term>
576	<listitem>
577	<para>
578	is a helper binary that updates the password of a given user.
579	</para>
580	<indexterm zone="linux-pam unix_update">
581	<primary sortas="b-unix_update">unix_update</primary>
582	</indexterm>
583	</listitem>
584	</varlistentry>
585
586	<varlistentry id="libpam">
587	<term><filename class="libraryfile">libpam.so</filename></term>
588	<listitem>
589	<para>
590	provides the interfaces between applications and the
591	PAM modules.
592	</para>
593	<indexterm zone="linux-pam libpam">
594	<primary sortas="c-libpam">libpam.so</primary>
595	</indexterm>
596	</listitem>
597	</varlistentry>
598
599	</variablelist>
600
601	</sect2>
602
603	</sect1>

Note: See TracBrowser for help on using the repository browser.

Context Navigation

source: postlfs/security/linux-pam.xml@ 10bfa7e0

Download in other formats: